[SOLVED] How to use secureObject or securestring returned from a linked ARM template

How to use secureObject or securestring returned from a linked ARM template

How do I use the value of a returned securestring or secureObject that is returned from a linked ARM template?

For example, one child linked template named CreateStorage

creates an Azure storage account
creates blob containers on that account
creates a SAS key for the container
returns the SAS key in the templates outputs section.

e.g. returning SAS in the templates outputs:

"outputs": {
    "createdContainerSas": {
        "type": "string",
        "value": "[concat('https://', variables('storageAccountName'), '.blob.core.windows.net/', variables('containerName'), '?', listServiceSas(variables('storageAccountName'), '2018-07-01', variables('importSasInputs')).serviceSasToken)]"
    }
}

The main template will then add the SAS key to the KeyVault so that it can be used by the rest of the application. The main template gets the value as follows:

"value": "[reference('CreateStorage').outputs.createdContainerSas.value]"

The problem is that currently the SAS key is returned as string meaning that it appears in plain text in the Azure deployments UI.

However, when I change the type of returned object to either securestring or secureObject, then when createdContainerSas.value is called, the follow error is encountered:

{\r\n \"code\": \"InvalidTemplate\",\r\n \"message\": \"Unable to process template language expressions for resource '/subscriptions/<my-subscription-id>/resourceGroups/<my-resource-group>/providers/Microsoft.Resources/deployments/CreateKeyVault' at line '310' and column '9'. 'The language expression property 'value' doesn't exist, available properties are 'type'.'\"\r\n }

So the .value property doesn't seem to exist when returning securestring or secureObject from child linked ARM templates.

The Microsoft docs at https://learn.microsoft.com/en-us/azure/azure-resource-manager/resource-manager-templates-outputs say

Output values support the same types as template input parameters.

and both securestring and secureObject are working fine as template input parameters so I must be doing something wrong.

How do I use the value of a returned securestring or secureObject that is returned from a linked ARM template?

Solution

secureString\secureObject types are omitted from the input\output. you cannot "get" them. they are just being passed, that's it. That's why the are called secure. They are not being recorded anywhere. No real workaround.

In your case you just pull keys where you need them, you dont have to pull them in the nested template and pass them to the parent template.